| From fb84c82cfb35905a6f944f5db2f5e11ee41724a5 Mon Sep 17 00:00:00 2001 |
| From: Wen Huang <huangwenabc@gmail.com> |
| Date: Thu, 28 Nov 2019 18:51:04 +0800 |
| Subject: [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor |
| |
| commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream. |
| |
| add_ie_rates() copys rates without checking the length |
| in bss descriptor from remote AP.when victim connects to |
| remote attacker, this may trigger buffer overflow. |
| lbs_ibss_join_existing() copys rates without checking the length |
| in bss descriptor from remote IBSS node.when victim connects to |
| remote attacker, this may trigger buffer overflow. |
| Fix them by putting the length check before performing copy. |
| |
| This fix addresses CVE-2019-14896 and CVE-2019-14897. |
| This also fix build warning of mixed declarations and code. |
| |
| Reported-by: kbuild test robot <lkp@intel.com> |
| Signed-off-by: Wen Huang <huangwenabc@gmail.com> |
| Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c |
| index 57edfada0665..c9401c121a14 100644 |
| --- a/drivers/net/wireless/marvell/libertas/cfg.c |
| +++ b/drivers/net/wireless/marvell/libertas/cfg.c |
| @@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int *nrates) |
| int hw, ap, ap_max = ie[1]; |
| u8 hw_rate; |
| |
| + if (ap_max > MAX_RATES) { |
| + lbs_deb_assoc("invalid rates\n"); |
| + return tlv; |
| + } |
| /* Advance past IE header */ |
| ie += 2; |
| |
| @@ -1717,6 +1721,9 @@ static int lbs_ibss_join_existing(struct lbs_private *priv, |
| struct cmd_ds_802_11_ad_hoc_join cmd; |
| u8 preamble = RADIO_PREAMBLE_SHORT; |
| int ret = 0; |
| + int hw, i; |
| + u8 rates_max; |
| + u8 *rates; |
| |
| /* TODO: set preamble based on scan result */ |
| ret = lbs_set_radio(priv, preamble, 1); |
| @@ -1775,9 +1782,12 @@ static int lbs_ibss_join_existing(struct lbs_private *priv, |
| if (!rates_eid) { |
| lbs_add_rates(cmd.bss.rates); |
| } else { |
| - int hw, i; |
| - u8 rates_max = rates_eid[1]; |
| - u8 *rates = cmd.bss.rates; |
| + rates_max = rates_eid[1]; |
| + if (rates_max > MAX_RATES) { |
| + lbs_deb_join("invalid rates"); |
| + goto out; |
| + } |
| + rates = cmd.bss.rates; |
| for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) { |
| u8 hw_rate = lbs_rates[hw].bitrate / 5; |
| for (i = 0; i < rates_max; i++) { |
| -- |
| 2.7.4 |
| |